As showers fall even in drought-stricken Silicon Valley (gracias, El Niño), Microsoft releases April’s Patch Tuesday with 13 security bulletins, six rated critical for remote code execution.

The bulletin to focus on is MS16-039, which contains fixes for the Microsoft Graphics Component of Windows, .NET Framework, Office, Skype for Business and Lync (the update is rated important for those using Office 2007 and 2010). Two Win32k elevation of privilege vulnerabilities (CVE-2016-0165 and CVE-2016-0167) have been exploited in the wild.

MS16-037 is a cumulative security update for Internet Explorer, patching six vulnerabilities. The fix modifies how IE handles objects in memory, validates input before loading DLL files and helps to restrict the information returned to IE.

MS16-040 patches a vulnerability (CVE-2016-0147) in Microsoft XML Core Services 3.0 for all supported Windows releases. Microsoft has updated how user input is processed by the MSXML parser.

The Microsoft Office security update – MS16-042 – addresses vulnerabilities by Office’s handling of objects in memory. Microsoft notes that “where the severity is indicated as Critical in Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0127.”

Bulletin MS16-050 contains fixes for vulnerabilities in Adobe Flash Player installed on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10. The patch updates Adobe Flash libraries in IE 10-11 and Edge. Last week, Adobe also released a security bulletin addressing 24 vulnerabilities.

For all you Edge users out there, MS16-038 is a cumulative Microsoft Edge update, also fixing six software flaws which could allow remote code execution as well as elevation of privilege. Microsoft has modified how Edge handles objects in memory and ensured Edge’s cross-domain policies are properly enforced.

Additionally, MS16-047 while only rated as important, contains the patch for the BadLock bug (CVE-2016-0128) that could allow elevation of privilege via man-in-the-middle attack: “An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user.” While the bug received plenty of attention (it even got a logo!), it appears its bark was worse than its bite.

2016 is already shaping up to be a banner year for vulnerabilities affecting Microsoft. According to the Skybox Vulnerability Center and Research Lab, the software giant has already logged 108 critical vulnerabilities. In 2015, Microsoft broke a 14-year record, reporting a whopping 553 vulnerabilities total.

Microsoft Vendor Profile - Skybox Vulnerability Center